Poke Me: Pitting e-customer ‘convenience’ against cyber security is a dangerous precedent to set

This week's "Poke Me" invites your comments on " Pitting e-customer ‘convenience’ against cyber security is a dangerous precedent to set". The feature will be reproduced on the edit page of the Saturday edition of the newspaper with a pick of readers' best comments. So be poked and fire in your comments to us right away. Comments reproduced in the paper will be the ones that support or oppose the views expressed here intelligently. Feel free to add reference links etc, in support of your comments.

Don’t let the bed bugs bite

Bedavyasa Mohanty

In the middle of the demonetisation drive and its resultant growing pains, the Reserve Bank of India (RBI) on December 6 relaxed additional factor authentication for internet-based transactions under Rs 2,000. Citing industry demands and customer convenience, the RBI has taken a step that can only be seen as regressive.

Two-factor authentication was introduced in 2009 owing to the increasing use of credit and debit cards and the consequent need to ensure the security of electronic transactions. Every financial transaction where a card could not be physically presented would be verified by a two-step process involving both the number of the card and a second, secret number that only the customer would know (a verified by Visa password or a one-time password (OTP)).

Today, the number of such transactions has skyrocketed. This has only been made possible due to the consumer’s trust in the system -- the understanding that the regulator will ensure implementation of global standards to protect the integrity of financial data.

The importance for this continued trust seems to have been lost on the RBI. Exploitation of digital networks by non-state actors has spurred regulators worldwide to adopt more sophisticated measures to protect online transactions. The US National Institute of Standards and Technology (NIST) has discouraged the use of SMS-based two-factor authentication as it no longer provides adequate security.

Responding to warnings by cyber-security experts that hackers have devised ways to intercept OTPs, the NIST, in its latest draft of the Digital Authentication Guideline, has noted that the removal of SMS-based authentication as a preferred method of two-factor authentication is being considered. The RBI’s approach, however, seems to be in the reverse direction by reducing the number of safeguards available.

The alternative to two-factor authentication it has suggested is no solution at all. The notification now allows banks (instead of payment gateways) to offer payment authentication services through authorised card networks such as Visa and MasterCard. A customer opting out of two-factor authentication would have to undergo a one-time registration on the network with her card details and then, only log in to the network for all subsequent transactions.

These networks, for all intents and purposes, would function in a manner similar to online wallets such as PayTM and MobiKwik. There are, however, associated risks with the process that the RBI has failed to account for.

Upon availing the exemption of two-factor authentication, the only credential required for an online customer would be her login details. Loss or compromise of these details would allow an unauthorised person to use her credit/debit card to make purchases up to Rs 2,000. As per the RBI’s draft customer protection circular released in August, the customer will be held wholly liable if her payment credentials have been misused.

As the notification suggests, cases such as these can be partially restricted by setting velocity limits for the number of transactions allowed per day. However, this is merely damage control. Ideally, policy should aim to prevent damage in the first place.

The RBI notification also seems to consider the arbitrary amount of Rs 2,000 as too small to qualify for modern standards of security. Small-value transactions, however, form the bulwark of e-commerce. Their importance has only increased post-demonetisation.

By most recent estimates, while the cash crunch has caused a rise in the number of card-based transactions, the average value of card transactions has fallen by up to 30%. The National Payments Corporation of India (NPCI), which manages the RuPay platform, has claimed a sharp fall from Rs 1,900 to Rs 1,700 post-demonetisation. This could potentially leave a large number of financial transactions open to fraudulent exploitation.

The RBI’s ill-conceived policy, however, is emblematic of a larger disregard for the security of data. India ranks third in terms of countries most affected by banking malware. The last major financial breach affected 3.2 million debit cards issued by 19 Indian banks. The malware reportedly first affected Hitachi Payment Systems, a payments service provider that offers not only ATM management services but also non-cash payments solutions.

Apart from a cursory review of the banks’ cyber security systems and addressing the malware infection, no concrete steps have yet been taken to address systemic vulnerabilities. The stakes have only risen in the wake of demonetisation.

In November, GoI waived transaction charges on debit card payments until December 31. This move was shortly followed by an announcement that service tax on card payments up to Rs 2,000 would be waived. The relaxation of the two-factor authentication, however, stands apart from these incentives.

Rolling back the security standards that other advanced economies are trying improve upon is the regulatory equivalent of taking one step forward and two steps back. India’s vision of becoming a cashless economy can’t be based on a false equivalence between the ‘convenience’ of customers as against the security of their money.

The writer is researcher, Cyber Initiative, Observer Research Foundation

Sponsored Stories

Subscribe ETCIO Newsletter

Manish Choksi, President – International Business Unit, IT, Supply Chain & Chemicals, Asian Paints sketches the fine points of Asian Paints’ digital strategy to transform from a brick-and-mortar business into a click-and-mortar business